Like my previous blogpost on Conditional Access are this a setting not in Intune – but directly a AzureAD feature (Preview)

Now we just have to get around that Conditional Access is not only a question about compliance on the device – but the conditional can also be based on location.

This is pretty cool if you need to block all access to O365 based on location or just require MFA when your outside your company.

To configure this you need to go into the AzureAD portal https://portal.windowsazure.com

Go into your AzureAD directory -> Applications

Find the Office 365 application

Go into configure

Set the “Enable Access rules” to on

Apply it to all users or a specific group (I have a Except group also – so that it not conflict with my Conditional Access in my Intune)

Select “Block Access when not at work”

In the “Click here to define/edit your network location” you will be taken to your Azure MFA setting page

If you have not configured your “Skip multi-factor authentication…” then you have to put in your outside IP range for the company.

How does this look likes for a user perspective in a webbrowser when trying to access portal.office.com

Just login as normal – and you get access to your application list – start the mail.

Then you get blocked if your not accessing O365 from the IP scope you have defined in the MFA settings.

I you click “More details” you can see a list of information – and one of them is what IP address your come from.

Remember this is a feature in preview – but you can start testing 🙂